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ABSTRACT 



A word -oriented technique for generating a pseudo-random 
sequence, e.g., a keystream (17) for use in a stream cipher. 
Specifically, the technique utilizes two different arrays (653, 
657) with each array having illustratively 256 32-bit ele- 
ments. One array (653) contains a 256 element 32-bit S-box. 
An output stream generated by the S-box, i.e., S^ is applied 
as one input to a first hash function. This hash function, in 
response to input S, multiplied by a variable, C, provides the 
output keystream. S-box element S, is then updated through 
a second hash function having, as its input, the current value 
of S, multiplied by the variable C. The variable, C, initially 
a random variable, is itself updated, for use during a next 
iteration, through an additive combination, of its current 
value and a corresponding element in the second array (G), 
i.e., G,. Both the S-box and G array can be initialized by, 
e.g., entirely filling each of these arrays with random 32-bit 
values. This technique, when used to generate a keystream 
for a stream cipher, appears to be just as secure as a 
conventional RC4 cipher and, by operating on a word- rather 
than a byte -level, is considerably faster than an RC4 key- 
stream generator. Hence, this technique, when used in cryp- 
tographic applications, is particularly well suited for use in 
devices that have limited computational resources and 
would not be amenable to use of the RC4 stream cipher. 

45 Claims, 4 Drawing Sheets 
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LIGHTWEIGHT WORD-ORIENTED 
TECHNIQUE FOR GENERATING A PSEUDO- 
RANDOM SEQUENCE FOR USE IN A 
KEYSTREAM OF A STREAM CIPHER 

5 

BACKGROUND OF THE DISCLOSURE 

1. Field of the Invention 

The invention relates to cryptography, particularly a 
word -oriented technique for generating a pseudo -random 
sequence, such as a keystream for use in, e.g., a stream 
cipher. Advantageously, this technique is not only fast and 
secure but also requires relatively little processing power to 
implement, i.e., is "lightweight". 

2. Description of the Prior Art 

Over the centuries, for as long as information has been 
communicated between two individuals, the information has 
been susceptible to third -party interception, eavesdropping, 
compromise and/or corruption. Clearly, the problem of 
securely protecting information from such acts has existed 
for quite a long time. 

Traditionally, this problem has been handled through the 
development, over the years, of increasingly sophisticated 
cryptographic techniques. One class of these techniques 25 
involves key-based ciphers. Through a key-based cipher, 
sequences of intelligible data, i.e., plaintext, that collectively 
form a message are each mathematically transformed, 
through an enciphering algorithm, into seemingly unintelli- 
gible data, i.e., so-called ciphertext. Not only must the 30 
transformation be completely reversible, i.e., two way in the 
sense that the ciphertext must be invertable back to its 
corresponding original plaintext but also on a 1:1 basis, i.e., 
each element of plaintext can only be transformed into one 
and only one element of ciphertext. In addition, a particular 35 
cipher that generated any given ciphertext must be su£5- 
ciently secure from cryptanalysis. To provide a requisite 
level of security, a unique key is selected which defines only 
one unique corresponding cipher, i.e., precluding, to the 
extent possible, a situation where multiple differing keys 40 
each yields reversible transformations between the same 
plain text-ciphertext correspondence. The strength of any 
cryptographic technique and hence the degree of protection 
it affords from third-party intrusion is directly proportional 
to the time required, by a third-party, to perform 45 
cryptanalysis, e.g., with a key-based cipher to successfully 
convert the ciphertext into its corresponding plaintext with- 
out prior knowledge of the key. While no encryption tech- 
nique is completely impervious from cryptanalysis, an 
immense number of calculations and an extremely long time 50 
interval required therefor — given the computing technology 
then available — required to break a cipher without prior 
knowledge of its key effectively renders many techniques, 
for all practical intents and purposes, sufficiently secure to 
warrant their widespread adoption and use. 55 

Key-based ciphers include both symmetric and public- 
key algorithms. Inasmuch as public -key algorithms are not 
relevant to the present invention, they will not be discussed 
any further. 

Symmetric algorithms are those through which the 60 
encryption key can be calculated from the decryption key, 
and vice versa. Generally, in these algorithms, the two keys 
are the same, with the security of the algorithm resting, in 
good measure, on the security of the key. Symmetric algo- 
rithms themselves are divided into stream ciphers (also 65 
referred to as "stream algorithms") and block ciphers. A 
stream cipher operates on a bit or byte of plaintext at a time. 
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in contrast to block ciphers which operates on a predefined 
group of bits (a "block", such as 64 bits) of plaintext at a 
time. Since block ciphers are also not relevant to the present 
invention, they will also not be discussed any further. 

A very simple form of a stream cipher relies on 
generating, at an encryption end and through a so-called 
keystream generator, a pseudo-random sequence (K) of bits 
kj, kj, kg, . . . , k„. These bits are combined, on a bit-by-bit 
exclusive-OR (XOR) basis, with incoming bits of plaintext 
(P), specifically Pa, p2> p3» • • * » Pm lo yield resulting bits (C), 
specifically c^, Cj, C3, . . . , c„, of ciphertext. At a decryption 
end, the bits of ciphertext are combined, again on a bit-by-bit 
XOR basis, with an identical keystream to recover the 
plaintext bits. With this cipher, the security of the cipher 
itself, apart from that of the key itself, rests entirely on the 
keystream, i.e., the level of difficulty which a cryptanalyst 
encounters in attempting to discern, from the ciphertext, the 
algorithm that generates the pseudo-random keystream. 
With a stream cipher, both the encrypting and decrypting 
ends of a communications link use identical keystream 
generators that are initialized in the same manner and 
operate in synchronization with respect to the ciphertext. 
Identical keystreams assure, in the absence of transmission 
and other errors, that the recovered plaintext will match the 
incoming plaintext. For further details on stream ciphers, the 
reader is referred to B. Schneier, Applied Cryptography — 
Second Edition (© 1996, John Wiley and Sons) pages 
197-199 and 397-398; and G. Simmons, Contemporary 
Cryptography (©1992, IEEE Press), pages 67-75— which 
are all incorporated by reference herein. 

As recently as a few years ago, if a cipher was of such 
complexity that it required on the order of man-years or 
more to break, in view of the state of the processing 
technology then available to do so, the underlying crypto- 
graphic technique was viewed by many as rendering a 
sufficient degree of security to warrant its use. However, 
computing technology continues to rapidly evolve. 
Processors, once unheard of just a few years ago in terms of 
their high levels of sophistication and speed, are becoming 
commercially available at ever decreasing prices. 
Consequently, processing systems, such as personal com- 
puters and workstations, that were previously viewed as not 
possessing sufficient processing power to break many 
so-called "secure" cryptographic ciphers are now, given 
their current power and sophistication, providing third par- 
ties with the necessary capability to effectively break those 
same ciphers. What may have taken years of continual 
computing a decade ago can now be accomplished in a very 
small fraction of that time. Hence, as technology evolves, 
the art of cryptography advances in lockstep in a continual 
effort to develop increasingly sophisticated cryptographic 
techniques that withstand correspondingly intensifying 
cryptanalysis. 

Over the past few years, the Internet community has 
experienced explosive and exponential growth — growth 
that, by many accounts, will only continue increasing. Given 
the vast and increasing magnitude of this community, both 
in terms of the number of individual users and web sites and 
sharply reduced costs associated with electronically com- 
municating information, such as e-mail messages and elec- 
tronic files, over the Internet between one user and another 
as well as between any individual client computer and a web 
server, electronic communication, rather than more tradi- 
tional postal mail, is rapidly becoming a medium of choice 
for communicating information, whether it be, e.g., an 
e-mail message or a program update file. In that regard, the 
cost of sending an electronic file between computers located 
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on opposite sides of the Earth is a very small fraction of the communication. This result, is particularly evident with 

cost associated with storing that file on a diskette (or other respect to the RC4 stream cipher given its byte-based nature 

media) and transporting that media between these locations and hence relatively slow throughput, 

even through the least expensive class of postal mail service. Therefore, a need exists in the art for a cryptographic 
However, the Imcrncl, being a pubhcly accessible network, 5 technique for generating a pseudo-random keystream for use 

IS not secure and in fact, has been and increasingly contm- . ^ ^^^^^ ^ considerably faster than 

ues to be a target of a Wide variety of attacks from various , , ./^ . . , 

individuals and oiganizations intern on eavesdropping, inter- convent. ona algonthms, such as the RC4 cipher, and pro- 

cepting and/or otherwise compromising or even co^pting ^"^^ ^ , T^^' c ° k ' ' °f f ^""•y 

message trafiBc flowing on the Internet or iUiciUy penetrating hese algorithms. Such a technique would advanta- 

sites connected to the Internet. THis security threat, in view e«°"*ly ^^f^ " >="l"t^de of applications which, owing 

of the increasing reliance placed on use of the Internet as a '"8'' "^^^^ '^^^ °' ""^'^f^^^ ^Z'^^u^ 

preferred medium of communication, exacerbates the efforts resources, are simply not amenable to use of the RC4 cipher 

. ^. ^ ,u ■ f«^f^^^^ u. or Other conventional keystream generators. 

in the art, otherwise tostered by primarily continuing ^ ^ 

advances in computing power, to develop increasingly SUMMARY OF THE INVENTION 
strong cryptographic techniques that provide enhanced lev- 
els of security to electronic communication. Advantageously, our inventive technique for generating a 

Stream ciphers, given their nature of generating extended pseudo-random sequence satisfies this need and overcomes 

pseudo-random sequences, would be particularly useful in the deficiencies in the art by utilizing, in accordance with our 
encrypting extremely long plaintext streams, such as video, 20 broad inventive teachings, two different arrays, with each 

or packet traffic, such as TCP/IP packets, appearing on, e.g., array having illustratively 256 32-bit elements. One array, 

a Internet connection. the S array, contains a 256 element 32-bit S-box. An output 

Currently, a conventional stream cipher that encounters stream generated by the S-box, i.e., S^ is applied as one 

rather widespread use is an "RC4" stream cipher ("RC4" is input to a first predefined function, e.g., a first hash function, 

a registered trademark of RSA Data Security Inc. of Red- 25 predefined function, in response to this input, S„ 

wood City, Calif.). Advantageously, the RC4 stream cipher multiplied by a variable, C, provides the output pseudo- 

is independent of the plaintext being encrypted and is quite random sequence, e.g., the keystream. The S-box element S, 

easy to implement. This cipher is claimed in the art to be is then updated through a second predefined function, e.g., 

immune to differential and linear cryptanalysis and is highly another hash function, having, as its input, the current value 
non-linear with approximately 2^700 different states. This 30 of S, multiplied by the variable C. The variable, C, initially 

cipher relies on a 256-value substitution box, a so-called a random variable, is itself updated, for use during a next 

"S-box", to generate each byte of an output keystream. This iteration, through an additive combination, of its current 

S-box initially contains entries which are permutations, as a value and a corresponding element in the second array (G), 

function of a variable length key, of values 0 through 255. i.e., G,, Both the S-box and G array can be initialized by. 
In use, the contents of the S-box slowly evolve with use in 35 e.g., entirely filling each of these arrays with random 32-bit 

a fashion that ensures that every element in the box ran- values. 

domly changes; hence, supporting a behef in the art that the Our inventive technique advantageously operates on a 

output byte is a secure pseudo-random sequence. The RC4 word level, e.g., 32 bits, rather than on a byte level. As such, 

cipher is byte-based and generates an output byte that is this technique is considerably faster than the RC4 keystream 
XORed with either a byte of plaintext to produce a corre- 40 generator. Moreover, this technique, when used to generate 

spending byte of ciphertext, or with a byte of ciphertext to a keystream for use in a stream cipher, appears to be just as 

produce a corresponding byte of recovered plaintext. secure as does the conventional RC4 cipher. Consequently, 

Presently, the RC4 cipher appears to be sufiBciently secure our technique is particularly well suited for use in devices, 

to thwart realistic cryptanalysis and, given its ease of e.g., consumer and other low-end products, that have limited 
implementation, quite useful in a broad range of applica- 45 computational resources and would not be amenable to use 

lions. However, in some applications, such as real-time of the RC4 cipher. 

encryption of multi-stream video data, such as in a video As a feature of our specific inventive teachings, a further 

server, as well as keyboard entries at a local client computer, random variable and another hash function can be incorpo- 

this cipher has proven to be too slow to be effective. rated into our inventive technique, either separately or 
Moreover and currently, TCP/IP layer encryption— which 50 together, to further enhance its security, if desired, when 

would, if implemented through a stream cipher, be rather used in cryptographic application, 
advantageous — can not be effectively provided in real-time 

in certain high-data rate applications, such as video BRIEF DESCRIPTION OF THE DRAWINGS 

streaming, due to excessive processing time required to _ , . ^ . . , . 

enerate the ke stream » t teachings of the present mvention can be readily 

j.Li J understood by considering the following detailed descrip- 

Furthermore, a multitude of consumer and other low-end . . „„%u ^.o«»««o 

, ' . . 1 i_ J • J tiOD in conjunction with the accompanying drawings, in 

products, such as, e.g., remote controls, home devices and vvhich* *- / o » 

personal digital assistants, are currently incorporating ' . ^ 

microprocessors, though with rather limited processing FI^. 1 depicts a diagram of an overall cryptographic 
capacity (e.g., diminished execution speed). To provide 60 process that incorporates the teach mgs of the present in ven- 
suflScient security for their users, these devices should 

implement some form of encrypted communication. FIG. 2 depicts a high-level block diagram of a typical and 
Unfortunately, the limited computing power currently avail- conventional Internet-based client-server processing envi- 
able in such devices, effectively precludes use of the RC4 ronment that illustratively utilizes the present invention; 
cipher, or other conventional keystream generators, in such 65 FIG. 3 depicts a block diagram of conventional client 
devices and hence, to a certain extent, frustrates the ability computer 100 shown in FIG. 2 in which the present inven- 
of these devices to support sufficiently secure encrypted tion is implemented; 
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FIG. 4 depicts a simple stream cipher, as conventionally 
used in the art; 

FIG. 5A depicts a flowchart of conventional RC4 key- 
stream generator procedure 500 as could be implemented in 
a client computer; 

FIG. 5B graphically depicts S-box 550 as used in con- 
ventional procedure 500 shown in FIG. 5A; 

FIG. 6 A depicts a flowchart of our inventive keystream 
generator procedure 600 as would be implemented in client 
computer 100 shown in FIGS. 2 and 3; and 

FIG, 6B graphically depicts S and G arrays 653 and 657, 
respectively, as used in our inventive procedure 600 shown 
in FIG. 6A. 

To facilitate understanding, identical reference numerals 
have been used, where possible, to designate identical 
elements that are common to the figures. 

DETAILED DESCRIPTION 

After considering the following description, those skilled 
in the art will clearly realize that the teachings of our present 
invention can be utilized in any one of an extremely wide 
range of applications where fast and secure encryption of 
information is needed, such as for real-time video applica- 
tions or real-time encryption of keyboard entry, and/or 
where processing power is limited, such as for use in remote 
control or other "small" devices. Information, in this 
instance and as the term will be used hereinafter, is defined 
as generically encompassing all information that can be 
stored digitally, regardless of its specific content, i.e., 
whether that information is executable program code or data 
of one form or another. For purposes of simplification, we 
will discuss our invention in the context of use in an 
client-server processing environment to encrypt packetized 
messages which are to be communicated over an insecure 
network, such as the Internet. 

A, Overview 

FIG. 1 depicts a diagram of an overall cryptographic 
process that incorporates the teachings of the present inven- 
tion. As shown, incoming plaintext information 5 emanating 
from an originating (source) location is organized into 
so-called "messages". Each such message, designated as P, 
appearing on input line 3 contains a succession of words, 
typically 32-bits in length. Each such plaintext word is 
encrypted, through our inventive cryptographic technique as 
will be described in detail below in conjunction with FIGS. 
4, 6A and 6D, into a corresponding word of ciphertext 15. A 
ciphertext message, designated as C, is formed of successive 
32-bit words of ciphertext. Resulting ciphertext message C 
is then stored or transferred, through a given modality, e.g., 
a network communication channel, represented by dashed 
line 17, to a recipient (destination) location. Here, the 
ciphertext message is decrypted to yield recovered plaintext 
message 25 also denoted as plaintext message f , which is 
identical in all aspects to original plaintext message P, 

B. Illustrative Processing Environment 

With the above in mind, consider FIG, 2 which depicts a 
high-level block diagram of client-server processing envi- 
ronment 50 that utilizes the present invention. 

As shown, this environment contains computer 200 which 
implements server 210, the latter illustratively being a web 
server, A number of individual remotely-located client 
computers, each being illustratively a personal computer 
(PC), of which only one such chent, i.e., client computer 
100, is specifically shown, is connected using appropriate 
communications channels, such as channels 140 and 160, 
through an insecure communications network, here shown 
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as illustratively Internet 150, to computer 200. A user (not 
specifically shown), stationed at client computer 100 and 
desirous of obtaining information from the server can invoke 
a corresponding client program at that computer. The client 

5 program forms one of a number of application programs 120 
that collectively reside within and are executed by client 
computer 100. Though the client program is specifically 
shown as residing within the application programs, the 
former can also be implemented as a component, such as a 

10 web browser, of an operating system (0/S), for example, of 
0/S 337 shown in FIG. 3. Server 210, shown in FIG, 2, can 
implement any of a wide variety of application functions 
including, for example, a commerce server, a banking 
server, an electronic mail or a file server. As to electronic 

15 commerce, the user might desire to conduct a commercial 
transaction through server 210 that involves providing (as 
symbolized by line 110) information to the server, such as an 
account mmiber of the user at a financial institution and 
payment instructions to transfer funds to a payee, or obtain - 

20 ing (as symbolized by line 135) information from the server, 
such as available account or credit balances of the user, 
which, in either event, is confidential to that user and needs 
to be encrypted. 

Network 150, being illustratively the Internet, is suscep- 

25 tible to being compromised by a third-party. In that regard, 
the third party could intercept a message then being carried 
over the network and emanating from, e.g., client computer 
100, for, e.g., an on-going financial transaction involving a 
user situated thereat. 

30 To safeguard the confidential or proprietary nature of the 
information, transiting over network 150, between client 
computer 100 and computer 200, from third-party access, 
both the client program 130 and server 210 each utilize 
cryptographic communication through incorporation of 

35 encryption 410 and decryption 460 therein. As such, pack- 
etized messages destined for network carriage and generated 
by one network application peer, either client program 130 
or server 210, can be encrypted at a TCP/IP layer by 
encryption procedure 410 therein to yield corresponding 

40 packetized ciphertext messages, which, in turn, are then each 
transmitted over network 150 to the other network applica- 
tion peer. Similarly, packetized ciphertext messages 
received, from the network, by each of the peers can be 
decrypted by decryption 460 therein, at a TCP/IP layer, to 

45 yield an appropriate recovered packetized plaintext mes- 
sage. Encryption 410 and decryption 460 are inverse pro- 
cedures of each other and can be provided, within client 
computer 100, through illustratively client program 130. 
C. Client Computer 100 

50 FIG. 3 depicts a block diagram of client computer (PC) 
100. 

As shown, client computer 100 comprises input interfaces 
(I/F) 320, processor 340, communications interface 350, 
memory 330 and output interfaces 360, all conventionally 

55 interconnected by bus 370, Memory 330, which generally 
includes different modalities, including illustratively ran- 
dom access memory (RAM) 332 for temporary data and 
instruction store, diskette drive(s) 334 for exchanging 
information, as per user command, with floppy diskettes, 

60 and non-volatile mass store 335 that is implemented through 
a hard disk, typically magnetic in nature. Mass store 335 
may also contain a CD-ROM or other optical media reader 
(not specifically shown) (or writer) to read information from 
(and write information onto) suitable optical storage media. 

65 In addition, mass store 335 also stores operating system 
(O/S) 337 and application programs 120; the latter illustra- 
tively containing client program 130 (see FIG. 2) which 
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incorporates our inventive cryptographic technique. 0/S digress slightly to provide a concise generalized description 

337, shown in FIG. 3, may be implemented by any conven- of a simple stream cipher followed by describing the RC4 

tional operating system, such as the WINDOWS NT oper- stream cipher as it is known in the art. 

ating system. Given that, we will not discuss any compo- FIG. 4 depicts a simple stream cipher, as conventionally 

nents of 0/S 337 as they are all irrelevant. SuflBce it to say, 5 used in the art. As shown, within encryption 410 and at a 

that the client program, being one of application programs source location, keystream generator 420, given an input 

120, executes under control of the 0/S. value or series of values (referred to collectively as a "seed") 

Advantageously, our present inventive technique for gen- appearing on lead 423 generates, on lead 427, a pseudo- 

erating a pseudo-random sequence, here a keystream for use random sequence (K) of bits kj, k^, kg, ... , k„. These 

in a stream cipher, when embedded for use within a client "keystream" bits (K) are combined, on a bit-by-bit basis 

program requires no user interaction and thus, in use, can be through exclusive-OR operation 430, with incoming bits of 

substantially, if not totally, transparent to the user. plaintext (P), specifically p„ p^, Pa, . . . , p„ to yield resulting 

As shown m HG, 3, incommg mformation can arise from ^-^ ciphertext (C), specifically c„ c„ C3, . . . , c„. The 

two Illustrative external sources: network supplied h^rtext is applied through link 440, typically a commu- 

information, e.g., from the Internet and/or other networked • r t r r *u * j *• 

*i. u * 1 i>in* • i<; nications link of one form or another, to a destination 
facility, through network connection 140 to communications , ■ , . , A^n. . j • • 
interface 350, or from a dedicated input source, via path(es) ^^^^^l^^" ^^^^plement decryption 460 at the destination 
310, to input interfaces 320. Dedicated input can originate ^oc^^^on, the bits of ciphertext are combined, again on a 
from a wide variety of sources, e.g., an external data source. ^it-by-bit XOR basis, though here through operation 480, 
In addition, input information, in the form of files or specific ^ith an identical keystream, appearing on lead 477, to 
content therein, can also be provided by inserting a diskette 20 recover the plaintext bits. This keystream, at the destination 
containing the information into diskette drive 334 from location, is generated through keystream generator 470 
which computer 100, under user instruction, will access and which is identical to generator 420. To ensure that the 
read that information firom the diskette. Input interfaces 320 ciphertext is properly decrypted into plaintext, both key- 
contain appropriate circuitry to provide necessary and cor- stream generators utilize the same seed and operate syn- 
responding electrical connections required to physically 25 chronously with respect to the ciphertext to generate iden- 
connect and interface each differing dedicated source of ti^^l keystreams. In that regard, the exact same bytes of 
input information to computer system 100. Under control of keystream bits, K, are used to encrypt, at the source location 
the operating system, application programs 120 exchange 0-^., an encrypting end), a byte of original plaintext into a 
commands and data with the external sources, via network ^y^^ of ciphertext and, at the destination location (i.e., a 
connection 140 or path(es) 310, to transmit and receive 30 decrypting end), to decrypt that same byte of ciphertext into 
information typically requested by a user during program a corresponding byte of plaintext, P,-, such that the recovered 
execution. original bytes of plaintext are the same. For further 

Input interfaces 320 also electrically connect and interface details on stream ciphers, the reader is referred to B. 
user input device 395, such as a keyboard and a mouse, to Schneier, Applied Cryptography—Second Edition (© 1996, 
computer system 100. Display 380, such as a conventional 35 John Wiley and Sons) pages 197-199 and 397-398; and G. 
color monitor, and printer 385, such as a conventional laser Simmons, Contemporary Cryptography (©1992. IEEE 
printer, are connected, via leads 363 and 367, respectively, Press), pages 67-75— which are aU incorporated by refer- 
to output interfaces 360. The output interfaces provide ence herein. 

requisite circuitry to electrically connect and interface the One commonly used stream cipher is the RC4 cipher, 

display and printer to the computer system. As one can 40 FIG. 5A depicts a flowchart of conventional RC4 keystream 

appreciate, our present inventive technique can operate with generator procedure 500 as could be implemented in, e.g., an 

any type of digital information regardless of the modalities client program within a client computer. TOs procedure 

through which client computer 100 will obtain that utilizes, as shown in FIG. 5B, array S, also denoted as anray 

information, store and/or communicate that information. ^50, of 8-bit values; this array is commonly referred to as an 

Furthermore, since the specific hardware components of 45 S-box ("substitution box"). For ease of reference, the reader 

computer system 100 as well as all aspects of the software should simultaneously refer to FIGS. 5A and 5B throughout 

stored within memory 335 (including TCP/IP layer encryp- following discussion. 

tion in general and related TCP/IP processing), apart from ^V^^ ^^^^V in^o procedure 500, initialization operation 

the modules that implement the present invention, are con- 510 first occurs. Through this step, the contents of S-Box 

ventional and well-known, they will not be discussed in any 50 550 are initialized and two counters used by the procedure, 

further detail. Generally speaking, computer 200 has an namely counters i and j, are both set to zero. S-box 550 

architecture that is quite similar to that of client computer contains 256 8-bit elements. The S-box can be initialized in 

100. various ways. One way is to entirely fill this array with 

D. Inventive Cryptographic Technique random 8-bit permutations ranging from 0 to 255. 

Our inventive technique generates a pseudo-random 55 Another conventional way to fill the S-box involves 

sequence, for use as, e.g., a keystream in a stream cipher, in several steps. First, the S-box is filled in a linear fashion 

a manner that is considerably faster than conventional beginning with a value of zero in element zero, a value of 

algorithms, such as a generator in the RC4 cipher, and, when \" element one and so forth until the last element 

used in such a cipher, provides at least the same, if not a contains a value of 255. An index counter, j, is set to zero, 

greater, level of security as does these algorithms. Given 60 Thereafter, the following operations occur iteratively for all 

this, our inventive technique should advantageously find use elements, S,, in the S-box, as indicated in the following 

in a multitude of applications which, owing to, e.g., high pseudo-code: 

data rates or limited available processing resources, are for i«0 to 255; 
simply not amenable to use of the RC4 cipher or other 

conventional keystream generators. 65 J<(J+Sr^K,)mod 256 

To enhance reader understanding of our present invention swap S,- and Sy in the S-box end 

and prior to describing our inventive technique, we will first where: is a predefined 8-bit seed value. 
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Once the initialization has completed, Compute K proce- collectively shown as arrays 650 graphically depicted in 

dure 520 is iterative ly executed to generate a continuous FIG. 6B. The S array provides essentially the same function 

keystream, with each successive byte of the keystream being as does S-box 550 shown in FIG. 5B; hence, the S array 

generated by a corresponding execution of block 520. shown in FIG. 6B will also be referred hereinafter as an 

Within this procedure, execution first proceeds to block 522 5 "S-box**. For ease of reference, the reader should simulta- 

to, on a (mod 256) basis, perform each of the following steps neously refer to FIGS. 6A and 6B throughout the following 

in order: discussion. 

(a) increment the value of counter i by one; Upon entry into procedure 600, execution first proceeds to 

(b) additive ly increase the value of counter j by the block 610. This block, when executed, initializes both the S 
contents of element i in S-box 550; and G arrays, sets each of two counters i and j to zero, and 

(c) swap the contents of elements i and j (i.e., elements S,. initializes a variable C. As shown, S-array 653 and G-array 
and Sj, respectively) in S-box 550; and ' ^^7 have M and N 32-bit elements, respectively, with both 

(d) set the value of variable t equal to an additive ^ ^ illustratively being 256. Not only do both arrays 
combination of the contents of elements i and j in S-box "^^^ ""^ ^ave the same number of elements but also this 
550, i.e., S. and S-, respectively 15 ^^^^^^ not limited to 256. Though the size of the S-box 

After these operations are performed, execution proceeds ^ ^^P^^^ ^^^"^^ ^^^^^^^ 64 or even 32 

to block 524 which, when executed, sets an output key- elements, the resulting cipher may not be sufficiently secure, 

stream byte, K, equal to the current contents of element S, However, we believe our inventive algorithm wiU retain 

in S-box 550. As a result of the above steps, the contents of sufficient security when both the S and G arrays are reduced, 

the S-box slowly change with use, the counters i and j 20 in size, to 64 or even 32 elements. However, it is not likely 

respectively ensure that every element changes and does so ^""^^ ^ ^""^ ^ '^^''''^'^ ^'^^ ^''''^ 

randomly. Once this keystream byte is produced, execution ^'^^^^ elements and still provide an adequate degree of 

iterates back, via path 530, to block 520 to calculate a next security. 

successive keystream byte, and so on, as long as the RC4 ^ '"^ ^ ^''^^ "^^^ initiaUzed, as shown in 

keystream generator is being operated. 25 ^^^^^ completely filling both arrays with random 

While the RC4 keystream generator, as produced through ^^'^'^ integers. Alternatively, the least significant byte of all 

block 520, appears to be sufficiently secure, for certain elements of the S-array could be filled with random 

applications, this generator is either too slow to accommo- permutations ranging from 0 to 255, with the remaimng 

date real-time encryption or requires excessive processing ^^'^^ ^y^^^ ^^^^ elements in this array being filled in any 

capabiUty for use in devices with limited processing ability. 30 manner, whether with random 24-bit values or otherwise. 

We have advantageously overcome these deficiencies in counters 1 and j are mitialized through block 610 to 

the art by utilizing, in accordance with our broad inventive ^^^^ counters could alternatively be initialized 

teachings, two different arrays, rather than one an-ay—the ^^^"^^^ ^^-bit values. Lastly, block 610 sets vanable C to 

latter being used in the conventional RC4 cipher, with each ^ random 32-bxt mteger. 

array having illustratively 256 32-bit elements. One array, 35 initialization has completed, Compute K proce- 

the S array, contains a 256 element 32-bit S-box. An output ^""'^ ^^0 is iteratively executed to generate a continuous 

stream generated by the RC4 keystream generator, from the Pseudo-random word sequence, i.e., here a keystream, with 

S-box, i.e., S^ is not taken as an output keystream itself, as ^^^^ successive word of the keystream being generated by 

in the conventional RC4 cipher, but rather, in our technique, ^ correspondmg execution of block 620, Withm this 

as one input to a first predefined function, e.g., a first hash 40 P^cedure, execution first proceeds to block 622 to perform, 

function. This first function, in response to this input, S„ °" ^ ^^^^ following steps in order: 

multipUed by a variable, C, provides the output pseudo- (^) increment the value of counter i by one; 

randomsequence, e.g., the keystream. The S-box elements, (b) additively increase the value of counter j by the 

is then updated through a second predefined function, e.g., contents of the least significant byte in element i in 

another hash function, having, as its input, the current value 45 S-box 653; 

of S, multiplied by the variable C. The variable, C, initially (c) swap the contents of elements i and j (i.e., elements S,- 

a random variable, is itself updated, for use during a next and Sj, respectively) in S-box 653; and 

iteration, through an additive combination, of its current (d) set the value of variable t equal to a least significant 

value and a corresponding element in the second array (G), byte of an additive combination of the contents of 

i.e., G,. Both the S-box and G array can be initialized by, 50 elements i and j in S-box 653, i.e., S, and Sy, respec- 

e.g., entirely filling each of these arrays with random 32-bit tively. 

values. After these operations are performed, execution proceeds 

Our inventive technique advantageously operates on a to block 624 which, when executed, sets an output 32-bit 

word level, e.g., 32 biLs, rather than on a byte level — the word, K,., in the keystream, K, according to hash function of 

latter being a current limitation of RC4. As such, this 55 a product, involving element t in S-box 653, as given by the 

technique is considerably faster than the RC4 keystream following equation: 
generator. Moreover, this technique, when used to generate 

a keystream for use in a stream cipher, appears to be just as ^'^^li^t' C) (i) 

secure as does the conventional RC4 cipher. Consequently, where: 

our technique is particularly well suited for use in devices, 60 is a hash function of the form h,(x)«ax+b defined over 

e.g., consumer and other low-end products, that have limited ^^^^^^ q^^^^^ ^^^^^ 0^(2"^ with a and b being 

computational resources and would not be amenable to use predefined constants. 

^^T^^u^?^ cipher. . ^ Once a current keystream word is determined, execution 

With the above in mmd, FIG. 6A depicts a flowchart of proceeds to block 626. This block updates the value of 

our inventive keystream generator procedure 600 as would 65 variable C according to equation (2) below: 
be implemented in client computer 100 shown in FIGS. 2 

and 3. This procedure also uses, two arrays, S and G, c^c+G, (2) 
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and updates the contents of element t in S-box 653 according 
to equation (3) below: 



5,*-((l2-'0»)nA2(5,*C)) 



(3) 



2 is a hash function of the form h2(x)=cx+d defined over 



where 
K 

mod(M) or in Galois field, GF(2^^), with c and d being 
predefined constants; 
l^'^O^ represents 3 bytes (24 bits) of ones followed by a 
byte (8 bits) of zeroes, i.e., the value 
"11111111111111111111111100000000'^ and fl repre- 
sents a logical bit-by-bit AND operation. 
As a result of equation (3), only the upper three bytes of 
element t in the S-box are updated through use of the second 
hash function, with the least significant byte being set to 
zero, thereby assuring that the inventive technique exhibits, 
at a minimum, the same degree of security as does the RC4 
cipher. Equations (2) and (3) can be performed either in the 
order shown or reversed. The term l^'^O^ could be replaced 
with 1^^, i.e., a word having 32 one bits. 

Once the output keystream word, K, is produced, execu- 
tion iterates back, via path 630, to block 620 to calculate a 
next successive keystream word, and so on, as long as our 
inventive keystream generator is being operated. 

As a further variant of our inventive technique, another 
random variable, D, can be introduced to provide increased 
security and equation (3) can replaced by equations (4) and 
(5) as follows: 



15 



25 



30 



D—D+G, 



(4) 



where: 

D is also initialized, during execution of block 610, to a 
random 32-bit number; and 



5,-((l^*0«)'A2(5,*Z))) 



(5) 



Furthermore, our inventive technique can also be 
modified, again to provide enhanced security, by incorpo- 
rating use of a third hash function. Here, a third hash 
function, h3, of the form h3(x)«ex+f defined over mod(M) or 
in Galois field, GF(2^^), with e and f being predefined 
constants, is used. Prior to additively updating, as shown in 
block 622, the value of counter j by the contents of the least 
significant byte in element i in S-box 653, the contents of 
element i in the S-Box can be set as given by equation (6) 
below: 



By now those skilled in the art clearly recognize that 
although we have described our inventive technique in 
conjunction with a very simple stream cipher, our technique 
can be used to generate a stream of pseudo-random words 
for use in any of a wide range of applications, not just 
cryptography and certainly not just stream ciphers. 

Although various embodiments which incorporate the 
teachings of the present invention have been shown and 
described in detail herein, those skilled in the art can readily 
devise many other embodiments that still utilize these teach- 
ings. 

We claim: 

1. A word-oriented method for cryplographically 
converting, through a stream cipher, an input stream, into an 
output stream, wherein the input stream is either an incom- 
ing plaintext message (P) or ciphertext (C) and the output 
stream is either the ciphertext or a recovered plaintext 
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message (P), wherein the stream cipher comprises a word- 
oriented pseudo-random keystream, the method being per- 
formed in a computer system having a processor and a 
memory, the memory storing computer executable 
instructions, wherein the method comprises the steps, per- 
formed by the processor in response to execution of the 
instructions, of: 

(A) receiving each one of a plurality of words in the input 
stream over an input signal bearing medium, said each 
one word being either a word in either the incoming 
plaintext message or in the ciphertext; 

(B) establishing, in the memory, first and second arrays (S 
and G, respectively) containing first and second plu- 
raUties of elements, respectively, wherein the elements 
in the arrays S and G are initiaUzed in a predefined 
manner; 

(C) forming a corresponding word (K) in the keystream 
for each successive word in the input stream by: 
(CI) first updating a first value, stored in a first counter 

(i), by a predefined increment; 
(C2) second updating a second value, stored in a second 
counter (j), by a value stored in a first element (S,-) in 
the array S, the first element being specified by the 
first value; 

(C3) swapping values stored in two elements in the 
array S, the two elements being the element S,. and a 
second element (Sj), the second element being speci- 
fied by the second value; 

(C4) combining contents of the elements S,- and S^ so as 
to define a third value (t); 

(C5) determining the corresponding word in the 
keystream, as a first predefined function of a current 
value stored in a third element (S,) in the first array 
and a value of a first variable, the third element being 
specified by the third value; 

(C6) third updating the value of the first variable by a 
value of one of the elements (G^), specified by the 
third value, in the array G; and 

(C7) fourth updating the value stored in S^ in response 
to a second predefined function of both the value 
stored in the element S^ and the value of said one of 
the elements (G,) in the array G; 

(D) combining the corresponding word in the keystream 
with said each successive word in the input stream to 
yield a corresponding word in the output stream, 
wherein, if the input stream is formed of words of the 
incoming plaintext message or the ciphertext, the out- 
put stream is formed of corresponding words of the 
ciphertext or the recovered plaintext message, respec- 
tively; and 

(E) applying the corresponding word in the output stream 
onto an output signal bearing medium. 

2. The method in claim 1 wherein the first and second 
variables are the same (C) and are initiaUzed to a random 
value. 

3. The method in claim 2 wherein each of the elements 
stored in the arrays S and G is at least 32-bits long. 

4. The method in claim 3 wherein the combining step 
comprises the step of combining the corresponding word in 
the keystream with said each successive word in the input 
stream through an exclusive OR operation to yield the 
corresponding word in the output stream. 

5. The method in claim 1 wherein the first predefined 
function is a linear function of the form hi(x)=ax+b defined 
over mod(M) or in Galois field (GF(2^^)) where a, b and M 
are predefined constants. 
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6. The method in claim 5 wherein the second predefined 
function is a linear function of the form h2(x)«cx+d defined 
over mod(M) or in Galois field (GF(2^^)) where c, d and M 
are predefined constants. 

7. The method in claim 6 wherein each of the elements 
stored in the arrays S and G is at least 32-bits long. 

8. The method in claim 7 wherein the combining step 
comprises the step of combining the corresponding word in 
the keystream with said each successive word in the input 
stream through an exclusive OR operation to yield the 
corresponding word in the output stream. 

9. The method in claim 6 further comprising the step, 
prior to the second updating step, of setting a value stored in 
the element S,- as given by the following equation: 

where 

hg is a linear function of the form h3(x)=ex+f defined over 

mod(M) or in Galois field (GF(2^^)); and 
e, f and M are predefined constants. 

10. The method in claim 1 wherein the fourth updating 
step comprises the step of combining, through a bit-by-bit 
logical AND operation, results of the second predefined 
function and a predefined value so as to yield an updated 
value to be stored in the element S,. 

11. The method in claim 10 wherein the predefined value 
is a 32-bit word formed of either three bytes of ones 
followed by a byte of zeroes, or four bytes of ones. 

12. The method in claim 11 wherein each of the elements 
stored in the arrays S and G is at least 32-bits long. 

13. The method in claim 12 wherein the combining step 
comprises the step of combining the corresponding word in 
the keystream with said each successive word in the input 
stream through an exclusive OR operation to yield the 
corresponding word in the output stream. 

14. The method in claim 1 wherein the establishing step 
further comprises the step of initializing all the elements in 
the S and G arrays by completely filling the S and G arrays 
with random numbers, 

15. The method in claim 14 wherein each of the elements 
stored in the arrays S and G is at least 32-bits long. 

16. The method in claim 15 wherein the combining step 
comprises the step of combining the corresponding word in 
the keystream with said each successive word in the input 
stream through an exclusive OR operation to yield the 
corresponding word in the output stream. 

17. The method in claim 1 wherein the establishing step 
further comprises the steps of: 

completely filling all the elements in the G array with 
random numbers; and 

completely filling a least significant byte of all the ele- 
ments in the S array with random numbers. 

18. The method in claim 17 wherein each of the elements 
stored in the arrays S and G is at least 32-bits long. 

19. The method in claim 18 wherein the combining step 
comprises the step of combining the corresponding word in 
the keystream with said each successive word in the input 
stream through an exclusive OR operation to yield the 
corresponding word in the output stream. 

20. The method in claim 1 wherein the third updating step 
further comprises the step of updating the value of element 
S, in response to both a second variable (D) and a value of 
one of the elements (G,), specified by the third value, in the 
array G; wherein the second variable D is initialized to a 
random value and subsequently updated in response to the 
value of said one element G,. 
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21. The method in claim 20 wherein each of the elements 
stored in the arrays S and G is at least 32-bits long. 

22. The method in claim 21 wherein the combining step 
comprises the step of combining the corresponding word in 
the keystream with said each successive word in the input 
stream through an exclusive OR operation to yield the 
corresponding word in the output stream. 

23. A computer readable medium having computer 
executable instructions stored therein for performing the 
steps of claim 1. 

24. Apparatus for a computer system which cryptographi- 
cally converts, through a stream cipher, an input stream into 
an output stream, wherein the input stream is either an 
incoming plaintext message (P) or ciphertext (C) and the 
output stream is either the ciphertext or a recovered plaintext 
message (f*), wherein the stream cipher comprises a word- 
oriented pseudo-random keystream, the apparatus compris- 
ing: 

(A) a processor; and 

(B) a memory, the memory storing computer executable 
instructions; 

(C) wherein the processor, in response to execution of the 
stored instructions: 

(CI) receives each one of a plurality of words in the 
input stream over an input signal bearing medium, 
said each one word being either a word in either the 
incoming plaintext message or in the ciphertext; 
(C2) establishes, in the memory, first and second arrays 
(S and G, respectively) containing first and second 
plurahties of elements, respectively, wherein the 
elements in the arrays S and G are initiaHzed in a 
predefined manner; 
(C3) forms a corresponding word (K) in the keystream 
for each successive word in the input stream by: 
(C3a) first updating a first value, stored in a first 

counter (i), by a predefined increment; 
(C3b) second updating a second value, stored in a 
second counter (j), by a value stored in a first 
element (S^) in the array S, the first element being 
specified by the first value; 
(C3c) swapping values stored in two elements in the 
array S, the two elements being the element S. and 
a second element (S/), the second element being 
specified by the second value; 
(C3d) combining contents of the elements S^- and Sj 

so as to define a third value (t); 
(C3e) determining the corresponding word in the 
keystream, as a first predefined function of a 
current value stored in a third element (S, ) in the 
first array and a value of a first variable, the third 
element being specified by the third value; 
(C3f) third updating the value of the first variable by 
a value of one of the elements (G,), specified by 
the third value, in the array G; and 
(C3g) fourth updating the value stored in in 
response to a second predefined function of both 
the value stored in the element S, and the value of 
said one of the elements (G,) in the array G; 

(D) combines the corresponding word in the keystream 
with said each successive word in the input stream to 
yield a corresponding word in the output stream, 
wherein, if the input stream is formed of words of the 
incoming plaintext message or the ciphertext, the out- 
put stream is formed of corresponding words of the 
ciphertext or the recovered plaintext message, respec- 
tively; and 

(E) applies the corresponding word in the output stream 
onto an output signal bearing medium. 
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25. The apparatus in claim 24 wherein the first and second 
variables are the same (C) and the processor, in response to 
execution of the stored instructions, initializes the first and 
second variables to a random value. 

26. The apparatus in claim 25 wherein each of the 
elements stored in the arrays S and G is at least 32-bits long. 

27. The apparatus in claim 26 wherein the processor, in 
response to execution of the stored instructions, combines 
the corresponding word in the keystream with said each 
successive word in the input stream through an exclusive 
OR operation to yield the corresponding word in the output 
stream. 

28. The apparatus in claim 24 wherein the first predefined 
function is a linear function of the form h^ (x)=ax+b defined 
over mod(M) or in Galois field (GF(2^^)) where a, b and M 
are predefined constants. 

29. The apparatus in claim 28 wherein the second pre- 
defined function is a linear function of the form h2(x)=cx+d 
defined over mod(M) or in Galois field (GF(2^^)) where c, 
d and M are predefined constants. 

30. The apparatus in claim 29 wherein each of the 
elements stored in the arrays S and G is at least 32-bits long. 

31. The apparatus in claim 30 wherein the processor, in 
response to execution of the stored instructions, combines 
the corresponding word in the keystream with said each 
successive word in the input stream through an exclusive 
OR operation to yield the corresponding word in the output 
stream. 

32. The apparatus in claim 29 wherein the processor, in 
response to execution of the stored instructions and prior to 
the second updating operation, sets a value stored in the 
element S^- as given by the following equation: 

where 

h3 is a linear function of the form h3(x) =ex+f defined over 

mod(M) or in Galois field (GF(2^^)); and 
e, f and M are predefined constants. 

33. The apparatus in claim 24 wherein the processor, in 
response to execution of the stored instructions and as part 
of the fourth updating operation, combines, through a bit- 
by-bit logical AND operation, results of the second pre- 
defined function and a predefined value so as to yield an 
updated value to be stored in the element S,. 

34. The apparatus in claim 33 wherein the predefined 
value is a 32-bit word formed of either three bytes of ones 
followed by a byte of zeroes, or four bytes of ones. 

35. The apparatus in claim 34 wherein each of the 
elements stored in the arrays S and G is at least 32-bits long. 
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36. The apparatus in claim 35 wherein the processor, in 
response to execution of the stored instructions, combines 
the corresponding word in the keystream with said each 
successive word in the input stream through an exclusive 

5 OR operation to yield the corresponding word in the output 
stream. 

37. The apparatus in claim 24 wherein the processor, in 
response to the stored instructions, initializes all the ele- 
ments in the S and G arrays by completely filling the S and 
G arrays with random numbers. 

38. The apparatus in claim 37 wherein each of the 
elements stored in the arrays S and G is at least 32-bits long. 

39. ThG apparatus in claim 38 wherein the processor, in 
response to execution of the stored instructions, combines 
the corresponding word in the keystream with said each 

^5 successive word in the input stream through an exclusive 
OR operation to yield the corresponding word in the output 
stream. 

40. The apparatus in claim 24 wherein the processor, in 
response to execution of the stored instructions: 

20 completely fills all the elements in the G array with 
random numbers; and 
completely fills a least significant byte of all the elements 
in the S array with random numbers. 

41. The apparatus in claim 40 wherein each of the 
25 elements stored in the arrays S and G is at least 32-bits long. 

42. The apparatus in claim 41 wherein the processor, in 
response to execution of the stored instructions, combines 
the corresponding word in the keystream with said each 
successive word in the input stream through an exclusive 

30 OR operation to yield the corresponding word in the output 
stream. 

43. The apparatxis in claim 24 wherein the processor, in 
response to execution of the stored instructions and as part 
of the third updating operation, updates the value of element 

35 S, in response to both a second variable (D) and a value of 
one of the elements (G,), specified by the third value, in the 
array G; wherein the processor, in response to the stored 
instructions, initializes the second variable D to a random 
value and subsequently updates the second variable D in 

40 response to the value of said one element G,. 

44. The apparatus in claim 43 wherein each of the 
elements stored in the arrays S and G is at least 32-bits long, 

45. The apparatus in claim 44 wherein the processor, in 
response to execution of the stored instructions, combines 

45 the corresponding word in the keystream with said each 
successive word in the input stream through an exclusive 
OR operation to yield the corresponding word in the output 
stream. 

* * * * * 
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